<div dir="ltr">Hey all,<div><br></div><div> I'm not familiar with WireGuard so I can only speak in an OpenVPN context. If the following doesn't apply to WireGuard at all than feel free to ignore me.</div><div><br></div><div> My main problem with "--script-security" is that its useless. It just causes OpenVPN to spit a line into a log file (and by that time its too late anyways). That isn't a security mechanism.</div><div><br></div><div> There also seems to be an expectation that users should understand these config files. I'm not sure why that is. Excuse my speaking in generalities but a majority of users aren't going to understand how OpenVPN works, let alone how the configuration file affects the program. Many users (myself included) simply receive config files from our bosses or our IT guy and trust that they aren't malicious. Call me naive or foolish but I don't review every single file passed my way for malicious content.</div><div><br></div><div> Furthermore, I've heard a few times now "config files exec things". Off the top of my head, I can't think of any other applications that execute shell commands listed in their configuration file. I have no idea where that is coming from. Its not a smart practice from a security point of view.</div><div><br></div><div> I'm not an OpenVPN expert. I'm just some guy that spent a little time reviewing the source. So I accept that my opinions might be bad. But if I was I dev I'd deprecate the entire system of executing programs listed in the configuration file. I'd try to migrate code into OpenVPN itself or the plugin system. At the very least, prompting the user and asking them for permission to execute whatever command seems like an improvement to me.</div><div><br></div><div>-Jake</div><div><br></div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 22, 2018 at 6:53 AM, Antonio Quartulli <span dir="ltr"><<a href="mailto:a@unstable.cc" target="_blank">a@unstable.cc</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 22/06/18 18:46, Jordan Glover wrote:<br>
> On June 22, 2018 3:56 AM, Antonio Quartulli <a@unstable.cc> wrote:<br>
>><br>
>> In case this might be useful: in OpenVPN there is an additional<br>
>><br>
>> parameter called "--script-security" that requires to be set to a<br>
>><br>
>> certain level before allowing configured scripts to be executed.<br>
>><br>
>> Unfortunately there is no real protection against the clueless user, who<br>
>><br>
>> can and will blindly enable that setting if asked by a $random VPN provider.<br>
>><br>
>> However, I still believe (and hope) that forcing the user to enable a<br>
>><br>
>> specific knob may raise the level of attention.<br>
>><br>
>> Maybe something similar could be added as a command line parameter to<br>
>><br>
>> wg/wg-quick so that it will execute the various<br>
>><br>
>> PostUp/PreUp/PostDown/PreDown only if allowed to?<br>
>><br>
>> Just as a side note: this is not a VPN specific problem, this is<br>
>><br>
>> something users can end up with everytime they execute some binary with<br>
>><br>
>> a configuration they have not inspected. So, be careful out there ;-)<br>
>><br>
>> Cheers,<br>
>><br>
> <br>
> Attacker can pass appropriate "--script-security" level with the very same config<br>
> containing malicious commands so this isn't solving problem of not looking at<br>
> the content of config files. <br>
<br>
</span>that's why I suggested to implement it as a command line knob for<br>
wg/wg-quick.<br>
<br>
But I totally agree with you that against this kind of issues there is<br>
not really a lot the developer can do - each of us is free to shoot<br>
himself in the foot.<br>
<br>
Regards,<br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
Antonio Quartulli<br>
<br>
</font></span></blockquote></div><br></div>